Hello friends, I am back after a long long time. I have been given a task on keyloggers.
I want to discover how to detect keyloggers. There is one program called KL-Detector, but I don't want to use that and also it is not perfect. I DON'T want to use ANY tool.
I want manual search and recover method of keyloggers. Any help from anyone would be appreciated. There are very noob methods I found on google but they are limited to only 40% of keylogger concept.
One more question. Do keyloggers use kernel as rootkits use???
How to detect a keylogger?
-
z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
How to detect a keylogger?
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP
-
z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
If that keylogger is using FTP or PHP or SMTP to upload logs, then its quite easy to detect. But what if it is in-built into the system or more importantly what if the keylogger is hardware and not a software???
Also, is it possible to detect hardware keylogger without looking at the back of the CPU? Is there any program to scan such problem? This is very funny qstn, but I am just asking...
Also, is it possible to detect hardware keylogger without looking at the back of the CPU? Is there any program to scan such problem? This is very funny qstn, but I am just asking...
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP
-
floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact:
-
z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
hardware keyloggers can't be found via software, simply because they don't have any connection to the software level of the system.
and no, keylogger usually don't use rootkit techniques....to install a rootkit the system must already be under complete control, it's not like with the good old trojans where clicking an exe installs it....at least I am not aware of any rootkit that can be installed that way.
finding a software keylogger can be easy or pretty tricky, depends on the techniques it uses....usually it should be easy to find in the process list, but of course it is possible to camouflage it by naming the process "svchost" for example, so it is a must to check every process manually (where is the exe located for example), ProcessExplorer is a great help for this.
you also should watch the outgoing connections, best with TCPview, of course most keyloggers don't send permanent traffic (after every keyboard interaction I mean) because it would be too suspicious, but a nice way to get a grip on the connection attempts would be to simply let the box idle for 1-2 days and log the traffic with Wireshark.
and no, keylogger usually don't use rootkit techniques....to install a rootkit the system must already be under complete control, it's not like with the good old trojans where clicking an exe installs it....at least I am not aware of any rootkit that can be installed that way.
finding a software keylogger can be easy or pretty tricky, depends on the techniques it uses....usually it should be easy to find in the process list, but of course it is possible to camouflage it by naming the process "svchost" for example, so it is a must to check every process manually (where is the exe located for example), ProcessExplorer is a great help for this.
you also should watch the outgoing connections, best with TCPview, of course most keyloggers don't send permanent traffic (after every keyboard interaction I mean) because it would be too suspicious, but a nice way to get a grip on the connection attempts would be to simply let the box idle for 1-2 days and log the traffic with Wireshark.
-
z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
-
z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
Here, I got some info on keylogger construction:-
The most common methods used to construct keylogging software are as follows:
a system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C);
a cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState – most often written in Visual Basic, sometimes in Borland Delphi);
using a filter driver (requires specialized knowledge and is written in C).
The most common methods used to construct keylogging software are as follows:
a system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C);
a cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState – most often written in Visual Basic, sometimes in Borland Delphi);
using a filter driver (requires specialized knowledge and is written in C).
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP